Date: Tue, 22 Oct 2002 11:32:49 -0700 From: Luigi Rizzo <rizzo@icir.org> To: "Marc G. Fournier" <scrappy@hub.org> Cc: freebsd-net@FreeBSD.ORG Subject: Re: determining "originator/source" of connection ... Message-ID: <20021022113249.C33933@carp.icir.org> In-Reply-To: <20021022143427.Y47756-100000@hub.org>; from scrappy@hub.org on Tue, Oct 22, 2002 at 02:47:36PM -0300 References: <20021022143427.Y47756-100000@hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
let me understand, you basically want something that puts flow statistics
in the bucket identified by the <dst-ip,dst-port> of the first SYN
packet you see (the assumption being that connections are
initiated by clients towards a well known port, which appears
as dst-port in the first syn packet ?
Or if you are just happy to aggregate by IP, one solution i often
use is the following (based on dummynet's dynamic pipes):
# do not expire pipes even if they have no pending traffic
sysctl net.inet.ip.dummynet.expire=0
# create separate pipes for src and dst masks
ipfw pipe 20 config mask src-ip 0xffffffff buckets 256
ipfw pipe 21 config mask dst-ip 0xffffffff buckets 256
ipfw add pipe 20 ip from $my_subnet to any
ipfw add pipe 21 ip from any to $my subnet
cheers
luigi
On Tue, Oct 22, 2002 at 02:47:36PM -0300, Marc G. Fournier wrote:
>
> I've got FreeBSD setup as a firewall to our campus network, and its doing
> a great job of it, but we want to be able log statistics on traffic going
> in and out ...
>
> I have trafd running on the server, with it dumping its data to a
> PostgreSQL database, but for every ~8min "segment", it is logging ~12 000
> records ... so ~90k/hr, or 2.16 million per day ...
>
> Now, I'm figuring that if I could determine direction of flow (did we
> originate the connection, or did someone off campus originate it), I could
> shrink that greatly, as right now I have stuff like:
>
> 216.158.133.242 80 131.162.158.24 3914 6 2356 4
> 216.158.133.242 80 131.162.158.24 3915 6 47767 34
> 216.158.133.242 80 131.162.158.24 3916 6 78962 56
> 216.158.133.242 80 131.162.158.24 3917 6 330141 224
> 216.158.133.242 80 131.162.158.24 3918 6 118862 89
> 216.158.133.242 80 131.162.158.24 3919 6 264139 185
> 216.158.133.242 80 131.162.158.24 3920 6 259543 179
> 216.158.133.242 80 131.162.158.24 3921 6 98014 73
> 216.158.133.242 80 131.162.158.24 3922 6 267772 186
> 216.158.133.242 80 131.162.158.24 3923 6 148879 109
> 216.158.133.242 80 131.162.158.24 3924 6 6406 8
> 216.158.133.242 80 131.162.158.24 3925 6 2486 5
> 216.158.133.242 80 131.162.158.24 3928 6 109584 75
> 216.158.133.242 80 131.162.158.24 3929 6 92435 62
> 216.158.133.242 80 131.162.158.24 3936 6 13059 9
> 216.158.133.242 80 131.162.158.24 3937 6 22641 17
>
> where I don't care about the source port, only the dest port ... except,
> in the above, trafd is writing it as 'source port == 80' and 'dest port'
> is arbitray ...
>
> while later in the results, I'll get something like:
>
> 130.94.4.7 40072 131.162.138.193 25 6 2976 10
> 130.94.4.7 58562 131.162.138.193 25 6 5249 16
>
> which does make sense (ie. source port -> dest port) ...
>
> is there something that i can do with libpcap that will give me better
> information then trafd does? is there a 'tag' in the IP headers that can
> be used to determine the originator of the connection?
>
> thanks ...
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021022113249.C33933>